malwarewikiaorg-20200223-history
DMR64
DMR64 '''or '''DMR is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is part of the BigBobRoss family. Payload Transmission DMR64 is distributed through spam campaigns, trojans, untrustworthy download channels, illegal activation ("cracking") tools and fake updaters. Infection During the encryption process, all affected files are retitled using this pattern - "id=victim's_IDoriginal_filename.DMR64"; the pattern consists of a string of characters that is the unique ID, the original filename and the ".DMR64" extension. For example, a file like "1.jpg" would appear as something similar to "id=1E857D001.jpg.DMR64", and so on for all of the compromised files. After this process is complete, DMR64 creates an HTML application - "!!! READ THIS !!!.hta", which contains the ransom note. The text presented in the ransom note, informs victims that their data has been encrypted. If users want to recover it, the message states that they must contact the developers of DMR64 ransomware. Contact must be established using the email address provided. In the subject/title field of the letter - users are to write their ID (generated individually for each victim; listed in both the note and in the filename of every encrypted file). If the cyber criminals do not respond within 48 hours, victims are to use the alternative email address. Users are warned that the decryption keys (necessary for the data recovery) will only be stored for a week. Therefore, it is implied that if during this time victims fail to contact the criminals and/or pay the ransom - their files will remain encrypted (i.e. they will experience permanent data loss). The size of the demanded payment is not specified, only that the sum will depend on how quickly users establish contact. The ransom must be paid in Bitcoin cryptocurrency and the message contains links how to and from where to acquire Bitcoins. Free decryption of one file is offered as proof that recovery is possible. This test file cannot be larger than 1Mb (non-archived) and must not contain valuable information (e.g. database, backup, large excel sheet and similar). The note ends with warnings. Victims are alerted that renaming the encrypted files and/or attempting decryption with third party tools/software - may cause permanent data damage. Text presented in DMR64 ransomware's pop-up window ("!!! READ THIS !!!.hta"): All your files have been encrypted! Your documents, photos, databases and other important files have been encrypted with strongest encryption. you can return all your files if you want to restore files, write us to the e-mail: Agent.DMR@protonmail.com Write this ID in the subject e-mail:1E857D00 Only in case you do not receive a response from the first email address withit 48 hours, please use this alternative email adress: Agent.DMR@aol.com It is in your interest to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week. The price depends on how fast you write to us. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins You can buy bitcoin from here: https:localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http:www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Using another tools could corrupt your files, in case of using third party software we don't give guarantees that full recovery is possible so use it on your own risk. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan